I recently took part in another webinar, this time with Lumension Security, covering issues around protecting company information. It was an interesting session as we had input from a vendor, customer and myself as an analyst. There is a transcript of my session and the event can be replayed here.
Protecting company information is becoming more and more difficult. As IT professionals we are faced with attacks from all sides, but ultimately the biggest threat to our data appears to be from our users.
I believe that the threat from our users boils down to these two key elements;
- The incompetent and non-malicious. These people make genuine mistakes based on lack of training, lack of awareness or being tired. Lost disks are a common example!
- The competent and malicious. These people are out to get you. They are, thankfully, a very, very small percentage of any employee base but they do exist.
I had a telephone call from my bank the other day and they asked me for the first line of my address to confirm who I was. Yes—they called ME and wanted ME to answer their security question. Of course it could have been anyone on a phishing trip and I told them I wasn't going to answer the question. The caller was most put out and quite frankly surprised I wasn't going to give him an answer. In actual fact I believed he was from my bank but wanted to make my point. Clearly the majority of people quite happily hand over their security details in these calls.
Unfortunately, managing the threat to company information is increasingly difficult as I believe we are now in the golden age of computer crime. We will look back in 10 years time and shake our heads and wonder how we coped.
The value of data is increasing week by week as criminals enjoy more ways of getting to our property, be it corporate or personal. Ultimately this is probably the biggest problem we face in information security—how to manage our users effectively
Of big concern is the ability for the authorities to cope with the problem. More often than not organisations feel alone in dealing with security problems. If you have a problem who do you call? Is your local police force going to prioritise your loss of intellectual property over burglaries? I have personally dealt with cases of data theft and whilst the authorities were surprisingly helpful their approach was strictly old school policing.
One key dynamic that is going to challenge us further when we are considering how we protect company data is the new generation of computer savvy youngsters coming into our work places.
Forget blanket bans on iPods and social networking, if you want to attract the brightest talent from an increasingly small demographic pool you need to make your workplace an interesting experience.
But how can this be balanced against the need to protect company information?
I did some research work recently on virtual worlds. It is not an area I had explored much before and was intrigued to consider the information security issues of these places. With the use of virtual money these virtual societies have an emerging and often complex social infrastructure. Virtual property can be purchased and you can pay for a REAL interior designer to decorate your virtual house.
This has implications for information security—I could actively hawk corporate information around a virtual world. What are the legal implications? How do laws regarding theft and fraud apply to "virtual world" information?
Worse still, consider the money laundering possibilities. I came across a character in Second Life who called themselves a drug dealer. Is this for real? If drugs can be traded in a virtual world then your intellectual property can as well.
The underground economy is huge. Many criminal organisations have a sophisticated infrastructure that would shame many ‘legal' corporations as they have roles and responsibilities ranging from marketing through to operations and finance. In fact many of these organisations would win prizes for their innovation and technical creativity if they were legitimate!
People exploits are growing. Access to your corporate information is now being facilitated through people-based attacks, be they call centre staff down the pub, on a social network or at the chief executives golf club. Let's face it, how many organisations REALLY vet their staff before allowing them access to terabytes of corporate data?
The future for the safety of corporate information can be quite depressing.
Over the past few weeks we have seen how inter-governmental information warfare is now considered part and parcel of more traditional guns and bombs type warfare. The increasing sophistication of these attacks quickly translates into the private sector as criminal gangs explore new methods of getting to corporate information.
In the seventies and eighties the UK was plagued by armed robberies as banks and building societies were seen as soft touches for gangs trying to steal money. Despite the formation of specialist police squads (the Sweeny anyone?) the tide of armed robberies was huge. Nowadays physical bank security has been tightened up, and new forensic systems are used to mark any money that may be stolen, to facilitate quicker recovery and prosecutions. Now it is not worth it for a sophisticated gang to "cross the pavement", as doing a bank robbery used to be known. It is much easier to click a mouse and steal data.
I mentioned the authorities earlier, and their ability to cope with data loss incidents. With the drive to save money in the public sector how can these authorities keep their skills up to date and hire the brightest and the best?
The future for data protection is going to be tough as we face new threats. Of course new and interesting innovations will appear on the market as vendors such as Lumension attempt to deal with the problem
But ultimately people will be people. Over the past generations we may feel that we are more sophisticated but are we really? People still have the same aspirations and desires now as they did 100 years ago. The inside threat—the biggest threat to our company information—will always be a significant hurdle for security managers.